Automation

A powerful low-to-no-code approach that allows your SOC to start automating complex tasks on day one.

Contact sales

Installable workflows

View all

These are additional workflows that you can choose to install from Cisco, its partners, and the Cisco XDR community. These are not installed by default and offer additional use cases beyond the workflows built into Cisco XDR. More information about installable workflows can be found in the Cisco XDR product documentation.

Logo for Jamf Pro
Jamf Pro - Remove Mobile Device from Static Group
Cisco Managed
This workflow appears in the pivot menu and allows you to remove a mobile device from a static group in Jamf Pro.
Pivot Menu
Learn more
Logo for Microsoft Defender for Endpoint GCC
Microsoft Defender for Endpoint GCC - Block IOC
Cisco Managed
This workflow appears in the pivot menu and allows a user to block an indicator of compromise (IOC) in Microsoft Defender for Endpoint GCC.
Pivot Menu
Learn more
Logo for Palo Alto Networks Cortex XDR
Palo Alto Networks Cortex XDR - Add Hash to Allow List
Cisco Managed
This workflow appears in the pivot menu and allows a user to add a file hash to an allow list in Palo Alto Networks Cortex XDR.
Pivot Menu
Learn more
Logo for SentinelOne Singularity
SentinelOne - Add Hash to Blocklist
Cisco Managed
This workflow appears in the pivot menu and allows you to add a file hash to a blocklist in SentinelOne.
Pivot Menu
Learn more
Logo for Slack
Slack - Send Message for New Incident
Cisco Managed
This workflow works with an incident automation rule to send a Slack message when a new incident is created in Cisco XDR.
Learn more

Built-in workflows

View all

Workflows typically achieve an end-to-end use case. For example, fetching information from an incident, identifying endpoints to isolate, and requesting isolation for each endpoint. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome by taking one or more smaller steps. The workflows listed here are built into Cisco XDR and do not require installation or, in most cases, configuration. More information about workflows can be found in the Cisco XDR product documentation.

XDR - Automation Rule - Update Incident Properties
Cisco Managed
This workflow allows you to update an incident's properties.
Learn more
XDR - Restore Domains
Cisco Managed
This workflow consumes one or more domains and attempts to restore them.
Learn more
XDR - Restore IP Addresses
Cisco Managed
This workflow consumes one or more IP addresses and attempts to restore them.
Learn more
XDR - Restore URLs
Cisco Managed
This workflow consumes one or more URLs and attempts to restore them.
Learn more
XDR - Restore Users
Cisco Managed
This workflow consumes one or more usernames or email addresses and attempts to restore matching users in all supported products.
Learn more

Built-in actions

View all

Also known as atomic actions, these are small, reusable components you can use when building a workflow. Cisco XDR comes with over 500 actions built in for various products and capabilities or you can build your own. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome and an action as a function within the script. Actions usually do perform a specific, single task like creating a ticket or sending an instant message. More information about built-in actions can be found in the Cisco XDR product documentation.